EVENT_TRACE_SYSTEM_EVENT_INFORMATION

The EVENT_TRACE_SYSTEM_EVENT_INFORMATION structure is
one of many that the ZwQuerySystemInformation (or
NtQuerySystemInformation) and
ZwSetSystemInformation
(or NtSetSystemInformation) functions expect in their
information buffer when given the information class SystemPerformanceTraceInformation
(0x1F). This particular structure is selected when the first dword in the information
buffer on input is one of:

EventTraceStackTracingInformation (0x06);

EventTracePebsTracingInformation (0x0B);

EventTraceProfileEventListInformation
(0x0E).

All are accepted when setting information but only the first when querying.

Usage

All these information classes reveal or specify which events that can be sent
to an NT Kernel Logger session should have some additional feature such as
call-stack tracing.

At least in user mode, the EVENT_TRACE_SYSTEM_EVENT_INFORMATION
structure supports the documented ADVAPI32 (or SECHOST) function
TraceSetInformation for
its information classes TraceStackTracingInfo (0x03)
and TracePmcEventListInfo (0x08). In these cases,
well-behaved
user-mode software executing above ADVAPI32 does not call NtSetSystemInformation
but prefers TraceSetInformation and therefore has no need of this
structure.

Documentation Status

The EVENT_TRACE_SYSTEM_EVENT_INFORMATION
structure is not documented. Its only known public existence in anything like
plain text is a C-language definition in a header file named NTETW.H from the
Enterprise edition
of the Windows Driver Kit (WDK) for Windows 10 version 1511.

Layout

The EVENT_TRACE_SYSTEM_EVENT_INFORMATION is 0x18 bytes
in both 32-bit and 64-bit Windows.

The HookId array lists the applicable events.
From other use of these 16-bit event identifiers, notably in the
PERFINFO_TRACE_HEADER and SYSTEM_TRACE_HEADER
that begin all events that are sent to an NT Kernel Logger session, it is known
that the high and low bytes of the hook ID are a Group
and Type, respectively. User-mode interfaces
identify these events by a CLASSIC_EVENT_ID
structure in which the Group is a GUID not a byte.
The CLASSIC_EVENT_ID is documented but the hundreds
of combinations of Group and
Type seem not to be.

Though the one EVENT_TRACE_SYSTEM_EVENT_INFORMATION
structure serves all three information classes that work with lists of events,
NTETW.H helpfully defines aliases: